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This  paper  presents  optimizations  for  verifying  systems  with  complex 
time-invariant  constraints.  These  constraints  arise  naturally  from 
modeling  physical  systems,  e.g.,  in  establishing  the  relationship  between 
different  components  in  a  system.  To  verify  constraint-rich  systems,  we 
propose  two  new  optimizations.  The  first  optimization  is  a  simple,  yet 
powerful,  extension  of  the  conjunctive-partitioning  algorithm.  The  second 
is  a  collection  of  BDD-based  macro-extraction  and  macro-expansion 
algorithms  to  remove  state  variables.  We  show  that  these  two 
optimizations  are  essential  in  verifying  constraint-rich  problems;  in 
particular,  this  work  has  enabled  the  verification  of  fault  diagnosis 
models  of  the  Nomad  robot  (an  Antarctic  meteorite  explorer)  and  of  the 
NASA  Deep  Space  One  spacecraft. 
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Abstract 


This  paper  presents  optimizations  for  verifying  systems  with  complex  time- 
invariant  constraints.,  These  constraints  arise  naturally  from  modeling  physical 
systems,  e.g.,  in  establishing  the  relationship  between  different  components  in  a 
system.  To  verify  constraint-rich  systems,  we  propose  two  new  optimizations. 
The  first  optimization  is  a  simple,  yet  powerful,  extension  of  the  conjunctive¬ 
partitioning  algorithm.  The  second  is  a  collection  of  BDD-based  macro-extraction 
and  macro-expansion  algorithms  to  remove  state  variables.  We  show  that  these  two 
optimizations  are  essential  in  verifying  constraint-rich  problems;  in  particular,  this 
work  has  enabled  the  verification  of  fault  diagnosis  models  of  the  Nomad  robot  (an 
Antarctic  meteorite  explorer)  and  of  the  NASA  Deep  Space  One  spacecraft. 


1  Introduction 


This  paper  presents  techniques  for  using  symbolic  model  checking  to  automatically 
verify  a  class  of  real-world  applications  that  have  many  time-invariant  constraints. 
An  example  of  constraint-rich  systems  is  the  symbolic  models  developed  by  NASA 
for  on-line  fault  diagnosis  [16].  These  models  describe  the  operation  of  compo¬ 
nents  in  complex  electro-mechanical  systems,  such  as  autonomous  spacecraft  or 
robot  explorers.  The  models  consist  of  intercoimected  components  (e.g.,  thrusters, 
sensors,  motors,  computers,  and  valves)  and  describe  how  the  mode  of  each  com¬ 
ponent  changes  over  time.  Based  on  these  models,  the  Livingstone  diagnostic  en¬ 
gine  [16]  monitors  sensor  values  and  detects,  diagnoses,  and  tries  to  recover  from 
inconsistencies  between  the  observed  sensor  values  and  the  predicted  modes  of  the 
components.  The  relationships  between  the  modes  and  sensor  values  are  encoded 
using  symbolic  constraints.  Constraints  between  state  variables  are  also  used  to 
encode  interconnections  between  components.  We  have  developed  an  automatic 
translator  from  such  fault  models  to  SMV  (Symbolic  Model  Verifier)  [11],  where 
mode  transitions  are  encoded  as  transition  relations  and  state-variable  constraints 
are  translated  into  sets  of  time-invariant  constraints. 

To  verify  constraint-rich  systems,  we  introduce  two  new  optimizations.  The 
first  optimization  is  a  simple  extension  of  the  conjunctive-partitioning  algorithm 
The  other  is  a  collection  of  BDD-based  macro-extraction  and  macro-expansion 
algorithms  to  remove  redundant  state  variables.  We  show  that  these  two  optimiza¬ 
tions  are  essential  in  verifying  constraint-rich  problems.  In  particular,  these  opti¬ 
mizations  have  enabled  the  verification  of  fault  diagnosis  models  for  the  Nomad 
robot  (an  Antarctic  meteorite  explorer)  [1]  and  the  NASA  Deep  Space  One  (DSl) 
spacecraft  [2].  These  models  can  be  quite  large,  with  up  to  1200  state  bits. 

The  rest  of  this  paper  is  organized  as  follows.  We  first  briefly  describe  symbolic 
model  checking  and  how  time-invariant  constraints  arise  naturally  from  modeling 
(Section  2).  We  then  present  our  new  optimizations:  an  extension  to  conjunctive 
partitioning  (Section  3),  and  BDD-based  algorithms  for  eliminating  redundant  state 
variables  (Section  4).  We  then  show  the  results  of  a  performance  evaluation  on  the 
effects  of  each  optimization  (Section  5).  Finally,  we  present  a  comparison  to  prior 
work  (Section  6)  and  some  concluding  remarks  (Section  7). 

2  Background 

Symbolic  model  checking  [5, 7, 1 1]  is  a  fully  automatic  verification  paradigm  that 
checks  temporal  properties  (e.g.,  safety,  liveness,  fairness,  etc.)  of  finite  state  sys¬ 
tems  by  symbolic  state  traversal.  The  core  enabling  technology  for  symbolic  model 
checking  is  the  use  of  the  Binary  Decision  Diagram  (BDD)  representation  [4]  for 
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state  sets  and  state  transitions.  BDDs  represent  Boolean  formulas  canonically  as 
directed  acyclic  graphs  such  that  equivalent  sub-formulas  are  uniquely  represented 
as  a  single  subgraph.  This  uniqueness  property  makes  BDDs  compact  and  enables 
dynamic  programming  to  be  used  for  computing  Boolean  operations  symbolically. 

To  use  BDDs  in  model  checking,  we  need  to  map  sets  of  states,  state  transitions, 
and  state  traversal  to  the  Boolean  domain.  In  this  section,  we  briefly  describe 
this  mapping  and  motivate  how  time-invariant  constraints  arise.  We  finish  with 
definitions  of  some  additional  terminology  to  be  used  in  the  rest  of  the  paper. 

2.1  Representing  State  Sets  and  It'ansitions 

In  the  symbolic  model  checking  of  finite  state  systems,  a  state  typically  describes 
the  values  of  many  components  (e.g.,  latches  in  digital  circuits)  and  each  compo¬ 
nent  is  represented  by  a  state  variable.  Let  V  =  {ui, ...,  Un}  be  the  set  of  state 
variables  in  a  system,  then  a  state  can  be  described  by  assigning  values  to  all  the 
variables  in  V.  This  valuation  can  in  term  be  written  as  a  Boolean  formula  that  is 
true  exactly  for  the  valuation  as  A"=o(^i  ==  where  c*  is  the  value  assigned  to 
the  variable  u,  ,  and  the  “==”  represents  the  equality  operator  in  a  predicate  (similar 
to  the  C  programming  language).  A  set  of  states  can  be  represented  as  a  disjunction 
of  the  Boolean  formulas  that  represent  the  states.  We  denote  the  BDD  representa¬ 
tion  for  a  set  of  states  5  by  5  (F) . 

In  addition  to  the  set  of  states,  we  also  need  to  map  the  system’s  state  transitions 
to  the  Boolean  domain.  We  extend  the  above  concept  of  representing  a  set  of  states 
to  representing  a  set  of  ordered-pairs  of  states.  To  represent  a  pair  of  states,  we 
need  two  sets  of  state  variables:  V  the  set  of  present-state  variables  for  the  first 
tuple  and  V  the  set  of  next-state  variables  for  the  second  tuple.  Each  variable  v  in 
V  has  a  corresponding  next-state  variable  v'  in  V.  A  valuation  of  variables  in  V 
and  V'  can  be  viewed  as  a  state  transition  from  one  state  to  anothCT.  A  transition 
relation  can  then  be  represented  as  a  set  of  these  valuations.  We  denote  the  BDD 
representation  of  a  transition  relation  T  as  r(y,  V'). 

In  modeling  finite  state  systems,  the  overall  state  transitions  are  generally  spec¬ 
ified  by  defining  the  valid  transitions  for  each  state  variable.  To  support  non- 
deterministic  transitions  of  a  state  variable,  the  expression  that  defines  the  tran¬ 
sitions  evaluates  to  a  set,  and  the  next-state  value  of  the  state  variable  is  non- 
deterministically  chosen  from  the  elements  in  the  set.  Hereafter,  we  refer  to  an 
expression  that  evaluates  to  a  set  either  as  a  set  expression  or  as  a  non-deterministic 
expression  depending  on  the  context,  and  we  use  the  bold  font  type,  as  in  f,  to  rep¬ 
resent  such  expression.  Let  fj  be  the  set  expression  representing  state  transitions 
of  the  state  variable  Vi.  Then  the  BDD  representation  for  t7,  ’s  transition  relation  Tj 
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can  be  defined  as 


TiiV,r)  ;=  K€fi(F)). 

For  synchronous  systems,  the  BDD  for  the  overall  state  transition  relation  T  is 

n 

T{vy)-.=  /\Ti{vy). 

i=0 

Detailed  descriptions  on  this  formulation,  including  mapping  of  asynchronous  sys¬ 
tems,  can  be  found  in  [5, 1 1]. 

Note  that  in  the  above  formulation,  we  also  need  to  represent  non-Boolean 
expressions  (such  as  fj’s)  or  non-Boolean  variables  as  part  of  intermediate  step. 
These  non-Boolean  formulas  can  be  represented  using  variants  of  BDDs  (e.g., 
MTBDD  [6])  that  extend  the  BDD  concept  to  include  non-Boolean  values.  These 
extensions  also  include  algorithms  for  Boolean  operators  with  non-Boolean  argu¬ 
ments  like  the  “==”  and  We  will  refer  to  all  these  BDD-variants  simply  as 
BDDs. 

I 

2.2  Time-Invariant  Constraints  and  Their  Common  Usages 

In  symbolic  model  checking,  time-invariant  constraints  specify  the  conditions  that 
must  always  hold.  More  formally,  let  Cj, . . . ,  C;  be  the  time-invariant  constraints 
and  let  C  :=  Ci  A  C2  A  ...  A  Ci.  Then,  in  symbolic  state  traversal,  we  consider 
only  states  where  C  is  true.  We  refer  to  C  as  the  constrained  space. 

To  motivate  how  time-invariant  constraints  arise  naturally  in  modeling  complex 
systems,  we  describe  three  common  usages.  One  common  usage  is  to  makp.  the 
same  non-deterministic  choice  across  multiple  expressions  in  transition  relations. 
For  example,  in  a  master-slave  model,  the  master  can  non-deterministically  choose 
which  set  of  idle  slaves  to  assign  the  pending  jobs,  and  the  slaves’  next-state  values 
will  depend  on  the  choice  made.  To  model  this,  let  f  be  the  non-deterministic 
expression  representing  how  the  master  makes  its  choice.  If  the  slaves’  transition 
relations  are  defined  using  the  expression  f  directly,  then  each  use  of  f  makes  its 
own  non-deterministic  choice  independent  of  other  uses.  Thus,  to  ensure  that  all  the 
slaves  see  the  same  non-deterministic  choice,  a  new  state  variable  u  is  introduced  to 
record  the  choice  made,  and  u  is  then  used  to  define  the  slaves’  transition  relations. 
This  recording  process  is  expressed  as  the  time-invariant  constraint  w  €  f. 

Another  common  usage  is  for  establishing  the  interface  between  different  com¬ 
ponents  in  a  system.  For  example,  suppose  two  components  are  connected  with  a 
pipe  of  a  fixed  capacity.  Then,  the  input  of  one  component  is  the  minimum  of  the 
pipe  s  capacity  and  the  output  of  the  other  component.  This  relationship  is  de¬ 
scribed  as  a  time-invariant  constraint  between  the  input  and  the  output  of  these  two 
components. 
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Third  common  usage  is  specific  uses  of  generic  parts.  For  example,  a  bi¬ 
directional  fuel  pipe  may  be  used  to  connect  two  components.  If  we  want  to  make 
sure  the  fuel  flows  only  one  way,  we  need  to  constrain  the  valves  in  the  fuel  pipe. 
These  constraints  are  specified  as  time-invariant  constraints.  In  general,  specific 
uses  of  generic  parts  arise  naturally  in  both  the  software  and  the  hardware  domain 
as  we  often  use  generic  building  blocks  in  constructing  a  complex  system. 

In  the  examples  above,  the  use  of  time-invariant  constraints  is  not  always  nec¬ 
essary  because  some  these  constraints  can  be  directly  expressed  as  a  part  of  the 
transition  relation  and  the  associated  state  variables  can  be  removed.  However, 
these  constraints  are  used  to  facilitate  the  description  of  the  system  or  to  reflect  the 
way  complex  systems  are  built.  Without  these  constraints,  multiple  expressions 
will  need  to  be  combined  into  possibly  a  very  complicated  expression.  Perform¬ 
ing  this  transformation  manually  can  be  labor  intensive  and  error-prone.  Thus  it 
is  up  to  the  verification  tool  to  automatically  perform  these  transformations  and 
remove  unnecessary  state  variables.  Our  optimizations  for  constraint-rich  models 
is  to  automatically  eliminate  redundant  state  variables  (Section  4)  and  partition  the 
remaining  constraints  (Section  3). 

2.3  Symbolic  State  lYaversal 

To  reason  about  temporal  properties,  the  pre-image  and  the  image  of  the  transition 
relation  are  used  for  symbolic  state  traversal,  and  time-invariant  constraints  are 
used  to  restrict  the  valid  state  space.  Based  on  the  BDD  representations  of  a  state 
set  S  and  the  transition  relation  T,  we  can  compute  the  pre-image  and  the  image 
of  5,  while  restricting  the  computations  to  the  constrained  space  C,  as  follows: 

pre-image{S){V)  :=  C{V)  .[T{V,V')  h  {S{V')  ^C{V'))]  (1) 

image{S){V')  :=  C(y')  A  3y.[r(y,  V')  A  (^(y)  A  C(y))]  (2) 

One  limitation  of  the  BDD  representation  is  that  the  monolithic  BDD  for  the 
transition  relation  T  is  often  too  large  to  build.  A  solution  to  this  problem  is  the 
conjunctive  partitioning  [5]  of  the  transition  relation.  In  conjunctive  partitioning, 
the  transition  relation  is  represented  as  a  conjimction  Pi  A  P2  A  ...  A  Pk  with  each 
conjunct  Pi  represented  by  a  BDD.  Then,  the  pre-image  can  be  computed  by  con- 
juncting  with  one  P,  at  a  time,  and  by  using  early  quantification  to  quantify  out 
variables  as  soon  as  possible.  The  early-quantification  optimization  is  based  on  the 
property  that  sub-formulas  can  be  moved  out  of  the  scope  of  an  existential  quan¬ 
tification  if  they  do  not  depend  on  any  of  the  variables  being  quantified.  Formally, 
let  Vf,  a  subset  of  V,  be  the  set  of  variables  that  do  not  appear  in  any  of  the  subse¬ 
quent  Pj’s,  where  1  <i  <k  and  i  <j<k.  Then  the  pre-image  can  be  computed 
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as 


Pi  :=  3F/.[Pi(F,F0a(5(F0aC(F0)]  0) 

P2  :=  ^Vi.[P2{Vy)Api\ 


Pk  :=  ^VUPk{Vy)^pk-^] 
pre-inuige{S){V)  :=  C(F)Apfc 

The  determination  and  ordering  of  partitions  (the  Pi's  in  above)  can  have  sig¬ 
nificant  performance  impact.  Commonly  used  heuristics  [8, 12]  treat  the  state  vari¬ 
ables’  transition  relations  (Tj’s)  as  the  partitions.  The  ordering  step  then  greedily 
schedules  the  partitions  to  quantify  out  more  variables  as  soon  as  possible,  while 
introducing  fewer  new  variables.  Finally,  the  ordered  partitions  are  tentatively 
merged  with  their  predecessors  to  reduce  the  number  of  intermediate  results.  Each 
merged  result  is  kept  only  if  the  resulting  graph  size  is  less  than  a  pre-determined 
limit. 

The  conjunctive  partitioning  for  the  image  computation  is  performed  similarly 
with  present-state  variables  in  V  being  the  quantifying  variables  instead  of  next- 
state  variables  in  V.  However,  since  the  quantifying  variables  are  different  be¬ 
tween  the  image  and  the  pre-image  computation,  the  resulting  conjuncts  for  image 
computation  is  typically  very  different  fijom  those  for  pre-image  computation. 


2.4  Additional  Terminology 

We  define  the  support  variables  of  a  function  to  be  the  variables  that  the  function 
depends  on,  and  the  support  of  a  function  to  be  the  set  of  support  variables.  We 
define  the  ITE  operator  (if-then-else)  as  follows:  given  arbitrary  expressions  /  and 
g  where  /  and  g  may  both  be  set  expressions,  and  Boolean  expression  p,  then 


ITE{pJ,g){X) 


f{X)  ifp{X); 
g{X)  otherwise; 


where  X  is  the  set  of  variables  used  in  expressions  p,  /,  and  g.  We  define  a  care- 
space  optimization  as  any  algorithm  care-opt  that  has  following  properties:  given 
an  arbitrary  expression  /  where  /  may  be  a  set  expression,  and  a  Boolean  formula 
c,  then 

care-opt{f,  c)  :=  ITE(c,  f,  d) , 

where  d  is  defined  by  the  particular  algorithm  used.  The  usual  interpretation  of  this 
is  that  we  only  care  about  the  values  of  /  when  c  is  true.  We  will  refer  to  c  as  the 
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care  space  and  -ic  as  the  don  ’t-care  space.  The  goal  of  care-space  optimizations 
is  to  heuristically  minimize  the  representation  for  /  by  choosing  a  suitable  d  in 
the  don’t-care  space.  Descriptions  and  a  study  of  some  care-space  optimizations, 
including  the  commonly  used  restrict  algorithm  [7],  can  be  found  in  [14]. 


3  Extended  Conjunctive  Partitioning 

The  first  optimization  is  the  application  of  the  conjunctive-partitioning  algorithm 
on  the  time-invariant  constraints.  This  extension  is  derived  based  on  two  obser¬ 
vations.  First,  as  with  the  transition  relations,  the  BDD  representation  for  time- 
invaiiant  constraints  can  be  too  large  to  be  represented  as  a  monolithic  graph.  Thus, 
it  is  crucial  to  represent  the  constraints  as  a  set  of  conjuncts  rather  than  a  monolithic 
graph. 

Second,  in  constraint-rich  models,  many  quantifying  variables  (variables  be¬ 
ing  quantified)  do  not  appear  in  the  transition  relation.  There  are  two  common 
causes  for  this.  First,  when  time-invariant  constraints  are  used  to  make  the  same 
non-deterministic  choices,  new  variables  are  introduced  to  record  these  choices 
(described  as  the  first  example  in  Section  2.2).  In  the  transition  relation,  these 
new  variables  are  used  only  in  their  present-state  form.  Thus,  their  corresponding 
next-state  variables  do  not  appear  in  the  transition  relation,  and  for  the  pre-image 
computation,  these  next-state  variables  are  parts  of  the  quantifying  variables.  The 
other  cause  is  that  many  state  variables  are  used  only  to  establish  time-invariant 
constraints.  Thus,  both  the  present-  and  the  next-state  version  of  these  variables  do 
not  appear  in  the  transition  relations. 

Based  on  this  observation,  we  can  improve  tiie  early-quantification  optimiza¬ 
tion  by  pulling  out  the  quantifying  variables  (Iq')  that  do  not  appear  in  any  of 
the  transition  relations.  Then,  these  quantifying  variables  (Vq)  can  be  used  for 
early  quantification  in  conjunctive  partitioning  of  the  constrained  space  (C)  where 
the  time-invariant  constraints  hold.  Formally,  let  Qi,Q2,  —,Qm  be  the  parti¬ 
tions  produced  by  the  conjunctive  partitioning  of  the  constrained  space  C,  where 
C  =  Qi  AQ2  A  ...  A  Qm-  For  the  pre-image  computation.  Equation  3  is  replaced 
by 


:=  3iyi'.[Qi(yOA-5(]^0] 

92  :=  3WUQ2{V')Aqi] 

qm  :=  3WUQm{V')Aqm-i] 
Pi  :=  3V{.[Px{Vy)Aqm] 
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where  W- ,  a  subset  of  Vq,  is  the  set  of  variables  that  do  not  appear  in  any  of  the 
subsequent  Qj%  where  1  <  i  <  m  md  i  <  j  <  m.  Similarly,  this  extension  also 
applies  to  the  image  computation. 

4  Elimination  of  Redundant  State  Variables 

Our  second  optimization  for  constraint-rich  models  is  taigeted  at  reducing  the  state 
space  by  removing  unnecessary  state  variables.  This  optimization  is  a  set  of  BDD- 
based  algorithms  that  compute  an  equivalent  expression  for  each  variable  used  in 
the  time-invariant  constraints  (macro  extraction)  and  then  globally  replace  a  suit¬ 
able  subset  of  variables  with  their  equivalent  expressions  (macro  expansion)  to 
reduce  the  total  number  of  variables . 

The  use  of  macros  is  traditionally  supported  by  language  constructs  (e.g.,  DE¬ 
FINE  in  the  SMV  language  [11])  and  by  simple  syntactic  analyses  such  as  detecting 
deterministic  assignments  (e.g.,  a~  f  where  a  is  a  state  variable  and  /  is  an  ex¬ 
pression)  in  the  specifications.  However,  in  constraint-rich  models,  the  constraints 
are  often  specified  in  a  more  complex  manner  such  as  conditional  dependencies  on 
other  state  variables  (e.g.,  p=^  (a  ==  /)  as  conditional  assignment  of  expression 
/  to  variable  a  when  p  is  true).  To  identify  the  set  of  valid  macros  in  such  models, 
we  need  to  combine  the  effects  of  multiple  constraints.  One  drawback  of  syntactic 
analysis  is  that,  for  each  type  of  expression,  syntactic  analysis  will  need  to  add 
a  template  to  pattern  match  these  expressions.  Another  more  severe  drawback  is 
that  it  is  difficult  for  syntactic  analysis  to  estimate  the  actual  cost  of  instantiating  a 
macro.  Estimating  this  cost  is  important  because  reducing  the  number  of  variables 
by  macro  expansion  can  sometimes  result  in  significant  performance  degradation 
caused  by  large  increases  in  other  BDD  sizes.  These  two  drawbacks  make  the 
syntactic  approach  unsuitable  for  models  with  complex  time-invariant  constraints. 

Our  approach  uses  BDD-based  algorithms  to  analyze  time-invariant  constraints 
and  to  derive  the  set  of  possible  macros.  The  core  algorithm  is  a  new  assignment- 
extraction  algorithm  that  extracts  assignments  from  arbitrary  Boolean  expressions 
(Section  4.1).  For  each  variable,  by  extracting  its  assignment  form,  we  can  de¬ 
termine  the  variable’s  corresponding  equivalent  expression,  and  when  appropri¬ 
ate,  globally  replace  the  variable  with  its  equivalent  expression  (Section  4.2).  The 
strength  of  this  algorithm  is  that  by  using  BDDs,  the  cost  of  macro  expansion  can  be 
better  characterized  because  the  actual  model  checking  computation  is  performed 
using  BDDs. 

Note  that  there  have  been  a  number  of  research  efforts  on  BDD-based  redun¬ 
dant  state-variable  removal.  To  better  compare  our  approach  to  these  previous  re¬ 
search  efforts,  we  postpone  the  discussion  of  this  prior  work  until  Section  6,  after 
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describing  our  algorithms  and  the  performance  evaluation. 

4.1  BDD-Based  Assignment  Extraction 

The  assignment-extraction  problem  can  be  stated  as  follows:  given  an  arbitrary 
Boolean  formula  /  and  a  variable  v  (where  v  can  be  non-Boolean),  find  g  and  h 
such  that 

•  f  =  {v  eg)  Ah, 

•  g  does  not  depend  on  v,  and 

•  his  a  Boolean  formula  and  does  not  depend  on  v. 

The  expression  (v  G  g)  represents  a  non-deterministic  assignment  to  variable  v. 
In  the  case  that  g  always  evaluates  to  a  singleton  set,  the  assignment  (u  G  g)  is 
deterministic.  A  solution  to  this  assignment-extraction  problem  is  as  follows: 

h  =  3v.f 

t  =  U  /TB(/U^fc,{A:},0) 
g  =  restrictit,  h) 

where  Ky  is  the  set  of  all  possible  values  of  variable  v,  and  restrict  [7]  is  a  care- 
space  optimization  algorithm  that  tries  to  reduce  the  BDD  graph  size  (of  t)  by 
collapsing  the  don’t-care  space  (-i/i).  The  BDD  algorithm  for  the 
is  similar  to  the  BDD  algorithm  for  the  existential  quantification  with  Ihe  V  oper¬ 
ator  replaced  by  the  U  operator  for  variable  quantification.  A  correctness  proof  of  > 
this  algorithm  is  included  in  Appendix  A. 

Currently,  we  do  not  have  any  optimality  guarantees  for  this  solution.  We  do 
know  that  the  solution  g  does  not  always  have  the  minimum  number  of  support 
variables.  i.e.,  g  is  not  necessary  a  minimum-support  solution.  However,  based  on 
the  behavior  of  the  restrict  algorithm,  we  have  formed  a  conjecture  about  the  rela¬ 
tionship  between  g  and  any  minimum-support  solution.  Informally,  this  conjecture 
states  that  g  can  be  converted  to  any  minimum-support  solution  via  a  sequence  of 
variable  substitutions,  and  that  these  substitutions  are  parts  of  equality  decomposi¬ 
tion  of  h.  More  formally. 

Conjecture  1  Let  gmin  he  a  solution  with  the  minimum  number  of  support  vari¬ 
ables.  Then,  there  exists  a  sequence  ofn  substitutions  (yn  <—  Cj)  where  Ui’s  are 
variables,  e,  ’s  are  expressions,  and  1  <  i  <  n,  such  that 

•  letgo  =  g,andgi  =  g^.^  forl<i<n,  then  g„  =  and 
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•  h  ^  (Aj=l(^i - ^i))- 

If  this  conjecture  is  true,  then  we  know  that  even  though  each  right-hand-side  ex¬ 
pression  g  extracted  might  have  more  support  variables  than  necessary,  these  addi¬ 
tional  variables  can  be  eliminated  later  by  other  macros  (the  (u;  ==  e^j’s  above). 

The  above  eonjecture  is  based  on  the  observation  that  given  variable  u,  expres¬ 
sions  /  and  e,  where 

•  /depends  on  M, 

•  €  does  not  depend  on  u,  and 

•  u’s  variable  order  sueceeds  any  of  e’s  support  variables’  variable  order, 

then,  restrict^/ ,  (w  ==  e))  =  Another  way  of  looking  at  this  is  that  using 

restrict,  a  variable  (u)  might  not  be  removed  if  its  variable  order  does  not  come 
after  the  orders  of  its  equivalent  expression’s  (e’s)  support  variables.  To  prove  the 
above  conjecture,  we  will  need  to  first  prove  that  equality  expressions  are  the  only 
reason  that  the  restrict  algorithm  may  not  produce  minimum  support  solution. 

Note  that  in  the  assignment-extraction  algorithm,  the  use  of  the  restrict  algo¬ 
rithm  is  not  necessary.  In  fact,  any  care-space  optimization  algorithms  can  be  used 
instead  of  the  restrict  algorithm.  We  choose  to  use  the  restrict  algorithm  because 
of  the  above  property  and  because  it  works  well  in  practice  for  other  symbolic- 
model-checking  computations. 

4.2  Macro  Extraction  and  Expansion 

In  this  section,  we  describe  the  elimination  of  state  variables  based  on  macro  ex¬ 
traction  and  macro  expansion.  The  first  step  is  to  extract  macros  with  the  algorithm 
shown  in  Figure  1.  This  algorithm  extracts  macros  from  the  constrained  space  {C), 
which  is  represented  as  a  set  of  conjuncts.  It  first  uses  the  assignment-extraction 
algorithm  to  extract  assignment  expressions  (line  5).  It  then  identifies  the  determin¬ 
istic  assignments  as  candidate  macros  (line  6).  For  each  candidate,  the  algorithm 
tests  to  see  if  applying  the  macro  may  be  beneficial  (line  7).  This  test  is  based 
on  the  heuristic  that  if  the  BDD  graph  size  of  a  macro  is  not  too  large  and  its 
instantiation  does  not  cause  excessive  increase  in  other  BDDs’  graph  sizes,  then 
instantiating  this  macro  may  be  beneficial.  If  the  resulting  right-hand-side  g  is  not 
a  singleton  set,  it  is  kept  separately  (line  9).  These  g’s  are  combined  later  (line  10) 
to  determine  if  their  intersection  would  result  in  a  macro  (lines  1 1-13).  Finally,  this 
algorithm  returns  the  set  of  selected  macros  (line  14). 

After  the  maeros  are  extracted,  the  next  step  is  to  determine  the  instantiation 
order.  The  main  purpose  of  this  algorithm  (in  Figure  2)  is  to  remove  circular  depen¬ 
dencies.  For  example,  if  one  macro  defines  variable  vi  to  be  (t;2  A  vs)  and  a  second 
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extract_macros((7,  V) 

/*  Extract  macros  for  variables  in  V  from 
the  set  C  of  conjuncts  representing  the  constrained  space  */ 

1  M  0  /*  initialize  the  set  of  macros  found  so  far  */ 

2  for  each  v  eV  ^ 

3  TV  ^  0  /*  initialize  the  set  of  non-singletons  found  so  far  */ 

4  for  each  f  E  C  such  that  /  depends  on  v 

5  (g,  h)  ^  assignment-extraction  (/,  i;)  /*  /  =  (i;  E  g)  A  ft  */ 

6  if  (g  always  returns  a  singleton  set)  /*  macro  found  */ 

7  if  (is-this-result-good(g)) 

8  M  E- {(z;,g)}  U  M 

9  else  N  <-  {g}  U  N 

10  g’  ^  rigeTv  g 

11  if  (g*  always  returns  a  singleton  set)  /*  macro  found  */ 

12  if  ((is-this-result-good(g’)) 

13  M  {(v,g’)}UM 

14  return  M 


Figure  1:  Macro-extraction  algorithm.  In  lines  7  and  12,  “is-this-result-good”uses 
BDD  properties  (such  as  graph  sizes)  to  determine  if  the  result  should  be  kept. 


macro  defines  V2  to  be  (ui  V  v^),  then  instantiating  the  first  macro  results  in  a  cir¬ 
cular  definition  in  the  second  macro  iv2  =  (u2  A  ua)  V  U4)  and  thus  invalidates  this 
second  macro.  Similarly,  the  reverse  is  also  true.  To  determine  the  set  of  macros 
to  remove,  the  algorithm  builds  a  dependence  graph  (line  1)  and  breaks  circular 
dependencies  based  on  graph  sizes  (lines  2-4).  It  then  determines  the  ordering  of 
the  remaining  macros  based  on  the  topological  order  (line  4)  of  the  dependence 
graph. 

Finally,  in  the  topological  order,  each  macro  {v,  g)  is  instantiated  in  the  remain¬ 
ing  macros  and  in  all  other  expressions  (represented  by  BDDs)  in  the  system,  by 
substituting  the  variable  v  with  its  equivalent  expression  g. 

5  Evaluation 

5.1  Experimental  Setup 

The  benchmark  suite  used  is  a  collection  of  58  SMV  models  gathered  from  a  wide 
variety  of  sources,  including  the  16  models  used  in  a  BDD  performance  study  [17]. 
Out  of  these  58  models,  37  models  have  no  time-invariant  constraints,  and  thus 
our  optimizations  are  not  triggered  and  have  no  influence  on  the  overall  verifica¬ 
tion  time.  Out  of  the  remaining  21  models,  10  very  small  models  (<  10  seconds) 
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order jnacros(M) 

/*  Determine  the  instantiation  order  of  the  macros  in  set  M  */ 

/*  first  build  the  dependence  graph  G  =  (M,  E)  */ 

1  E  =  {{x,y)\x  -  (v®,  g^)  eM,y=  {vy,gy)  £  M, gy  depends  on  v^c} 
/*  then  remove  circular  dependences  */ 

2  while  there  are  cycles  in  G, 

3  Me  set  of  macros  that  are  in  some  cycle 

4  remove  the  macro  with  largest  BDD  size  in  Me 

5  return  a  topological  ordering  of  the  remaining  macros  in  G 


Figure  2:  Macro-ordering  algorithm. 


are  eliminated.  On  the  remaining  11  models,  our  optimizations  have  made  non- 
negligible  performance  impact  on  7  models,  where  the  results  changed  by  more 
than  10  CPU  seconds  and  10%  from  the  base  case  where  no  optimizations  are  en¬ 
abled.  In  Figure  3,  we  briefly  describe  these  7  models.  Note  that  some  of  these 
models  are  quite  large,  with  up  to  1200  state  bits. 


Model 

#  of  State  Bits 

Description 

acs 

497 

the  altitude-control  module  of  NASA’s  DSl  spacecraft 

dsl-b 

657 

a  buggy  fault  diagnosis  model  for  NASA’s  DSl  spacecraft 

dsl 

657 

corrected  version  of  dsl~b 

futurebus 

174 

FutureBus  cache  coherency  protocol 

nomad 

1273 

tault  diagnosis  model  for  an  Antarctic  meteorite  explorer 

v-gate 

86 

reactor-system  model 

xavier 

100 

fault  diagnosis  model  for  the  Xavier  robot 

Figure  3:  Description  of  models  whose  performance  results  are  affected  by  oin 
optimizations. 

The  results  reported  in  this  section  are  labeled  with  the  following  keys  to  indi¬ 
cate  which  optimizations  are  enabled: 

None:  no  optimizations. 

Quan:  the  “early  quantification  on  the  constrained  space”  optimiza¬ 
tion  (Section  3). 

SynM:  S5mtactic  analysis  for  macro-extraction  and  macro-expansion. 

This  algorithm  pattern  matches  deterministic  assignment  expres¬ 
sions  (v  ==  f,  where  u  is  a  state  variable  and  /  is  an  expression) 
as  macros  and  expands  these  macros. 
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BDDM:  the  BDD-based  macro  extraction  and  macro  expansion  (Sec¬ 
tion  4). 

Q+SynM:  both  Quan  and  SynM  optimizations. 

Q+BDDM:  both  Quan  and  BDDM  optimizations. 

We  performed  the  evaluation  using  the  Symbolic  Model  Verifier  (SMV)  model 
checker  [11]  from  Carnegie  Mellon  University.  Conjunctive  partitioning  was  used 
only  when  it  was  necessary  to  complete  the  verification.  In  these  cases  (including 
acs,  nomad,  dsl-b,  and  dsl),  the  size  limit  for  each  partition  was  set  to  10,000 
BDD  nodes.  For  the  remaining  cases,  the  transition  relations  were  represented  as 
monolithic  BDDs.  The  constrained  space  C  was  represented  as  a  conjunction  with 
each  conjunct’s  BDD  graph  size  limited  to  10,000  nodes.  Without  partitioning,  we 
could  not  constract  the  BDD  representation  for  the  constrained  space  for  4  models. 
The  evaluation  was  performed  on  a  200MHz  Pentium-Pro  with  1  GB  of  memory 
running  Linux.  Each  run  was  limited  to  6  hours  of  CPU  time  and  900  MB  of 
memory. 

In  Figure  4,  we  show  the  miming  time  of  different  optimizations.  Note  that 
for  all  benchmarks,  the  time  spent  by  our  optimizations  is  very  small  (<  5  seconds 
or  <  5%  of  total  time)  and  is  included  in  the  miming  time  shown.  In  the  rest  of 
this  section,  we  analyze  these  results  in  the  following  order:  the  overall  impact 
of  our  optimizations  (Section  5.2),  the  impact  of  early  quantification  on  the  con¬ 
straint  space  (Section  5.3),  and  the  impact  of  macro  optimization  (Section  5.4).  We 
then  finish  with  a  brief  study  on  the  impact  of  different  size  limits  for  conjunctive 
partitioning  (Section  5.5). 


Model 

None 

(sec) 

Quan 

(sec) 

SynM 

(sec) 

BDDM 

(sec) 

Q+SynM 

(sec) 

Q+BDDM 

(sec) 

acs 

m,o. 

32 

m,o. 

1059 

76 

7 

dsl-b 

m.o. 

321 

to. 

m,o. 

138 

54 

dsl 

m.o. 

m.o. 

m,o. 

to. 

to. 

37 

fiiturebus 

1410 

53 

78 

37 

35 

19 

nomad 

m.o. 

to. 

m,o. 

to. 

7801 

633 

v-gates 

36 

35 

51 

50 

53 

50 

xavier 

16 

5 

6 

5 

1 

2 

Figure  4:  Running  time  with  different  optimizations  enabled.  The  w.o.’s  and  /.o.’s 
are  the  results  that  exceeded  the  900-MB  memory  limit  and  the  6-hour  time  limit, 
respectively. 
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5.2  Overall  Results 


The  results  in  Figure  5  show  the  overall  performance  impact  of  our  optimizations. 
These  results  demonstrate  that  our  optimizations  have  significantly  improved  the 
performance  for  2  models  (with  speedups  up  to  74)  and  have  enabled  the  verifica¬ 
tion  of  4  models.  For  the  v-gates  model,  the  performance  degradation  (speedup  = 
0.7)  is  in  the  computation  of  the  reachable  states  from  the  initial  states.  Upon  fur¬ 
ther  investigation,  we  believe  that  it  is  caused  by  the  macro  optimization,  which  in¬ 
creases  the  graph  size  of  the  transition  relation  from  1 22-thousand  to  476-thousand 
nodes.  This  case  demonstrates  that  reducing  the  number  of  state  variables  does  not 
always  improve  performance. 


Model 

None  (sec) 

Q+BDDM  (sec) 

None  /  Q+BDDM  (speedup) 

acs 

m.o. 

7 

enabled 

dsl -buggy 

m.o. 

54 

enabled 

dsl 

m.o. 

367 

enabled 

futurebus 

1410 

19 

142 

nomad 

m.o. 

633 

enabled 

valves-gates 

36 

50 

0.7 

xavier 

16 

2 

8.0 

Figure  5:  Overall  impact  of  our  optimizations.  The  m.o.'s  are  the  results  that  ex¬ 
ceeded  the  900-MB  memory  limit. 


53  Impact  of  Early  Quantification 

The  results  in  Figure  6  show  the  impact  of  applying  early  quantification  on  time- 
invariant  constraints.  The  impact  is  measured  both  in  the  number  of  quantify¬ 
ing  BDD  variables  extracted  from  the  transition  relations  and  in  the  performance 
speedups.  The  speedup  results  for  None  /  Quan  show  that  adding  this  optimization 
has  enabled  the  verification  of  cics  and  dsl-b,  and  achieved  significant  performance 
improvement  on  futurebus  (speedup  of  26).  The  results  in  the  Quan  columns  show 
that  this  improvement  is  mostly  due  to  the  fact  that  a  large  number  of  variables  can 
be  pulled  out  of  the  transition  relations  and  applied  to  conjunctive  partitioning  and 
early  quantification  of  the  time-invariant  constraints. 

From  the  Q+BDDM  and  BDDM  /  Q+BDDM  columns,  we  observe  similar 
results  in  presence  of  BDD-based  macro  optimization.  Note  that  for  the  Q+BDDM 
colunms,  the  “#  of  BDD  vars  extracted”  results  also  include  the  number  of  BDD 
variables  that  are  removed  by  the  macro  optimization.  This  is  done  to  make  the 
comparison  between  Quan  and  Q+BDDM  results  easier. 
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The  results  in  Figure  6  show  two  additional  interesting  points.  First,  the  num¬ 
ber  of  variables  extracted  for  pre-image  computation  is  more  than  that  extracted  for 
image  computation.  This  is  because  some  variables  are  only  used  in  their  present- 
state  form  in  the  transition  relation  (see  iirst  example  in  Section  2.2).  Second, 
comparing  the  results  between  Quan  and  Q+BDDM  columns  indicates  that  the 
macro  optimization  generally  does  not  interfere  with  the  early-quantification  opti¬ 
mization.  The  one  exception  is  the  nomad  model,  where  the  macro  optimization 
introduced  114  BDD  variables  ((1121  -  1067)  present-state  variables  plus  (1174  - 
1 1 14)  next-state  variables)  to  the  overall  transition  relation. 


Model 

Total 

#of 

BDD 

Vars 

Effects  of  CP  Optimization 

1  #  of  BDD  vars  extracted 

1  performance  speedup 

Quan 

img  p-img 

Q+BDDM 
img  p-img 

None/ 

Quan 

BDDM/ 

Q+BDDM 

acs 

994 

439 

449 

437 

449 

enabled 

151.0 

546 

566 

enabled 

enabled 

546 

566 

n/a 

enabled 

EBl 

58 

54 

mssi 

1.9 

nomad 

1067 

msBM 

enabled 

v-gates 

Mill  1 

0 

17 

00 

17 

1.0 

xavier 

200 

69 

86 

69 

86 

3.2 

2.5 

Figure  6:  Effectiveness  of  the  extended  conjunctive-partitioning  optimization.  The 
effectiveness  measures  are  (1)  the  number  of  quantifying  BDD  variables  that  are 
pulled  out  of  the  transition  relation  for  early  quantification  of  the  time-invariant 
constraints,  and  (2)  the  impact  on  overall  running  time  as  performance  speedups. 
For  both  measures,  we  present  results  both  with  (-^BDDM)  and  without  the  BDD- 
based  macro  optimization.  The  n/a  indicates  that  the  speedup  can  not  be  computed 
because  both  cases  failed  to  finish  within  the  resource  limits.  Note:  the  number 
of  BDD  variables  is  twice  the  number  of  state  variables — one  copy  for  the  present 
state  and  one  copy  for  the  next  state. 


5.4  Impact  of  Macro  Extraction  and  Macro  Expansion 

The  results  in  Figure  7  show  the  impact  of  the  BDD-based  macro  optimization. 
This  impact  is  measured  both  in  the  number  of  BDD  variables  removed  and  in 
the  performance  speedups.  The  performance  results  in  the  None  /  BDDM  column 
show  that  adding  this  optimization  has  enabled  the  verification  of  acs  and  achieved 
significant  performance  improvement  on  futurebus  (speedup  of  38).  The  results  are 
similar  in  presence  of  the  early-quantification  optimization  (the  Quan  /  Q+BDDM 
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column).  The  results  for  “#  of  BDD  vars  removed”  show  that  these  performance 
improvements  are  due  to  the  effectiveness  of  BDD-based  macro  optimization  in  re¬ 
moving  variables;  in  particular,  over  a  third  of  variables  are  removed  for  4  models. 


Model 

Total 
#  of  BDD 
Variables 

Effects  of  1 

IDD-based  Macro  Optimization 

#QfBDD 

variables 

removed 

performance  speedup 

None/ 

BDDM 

Quan/ 

Q+BDDM 

acs 

994 

352 

enabled 

4.5 

dsl-b 

1314 

492 

n/a 

5.9 

dsl 

1314 

496 

n/a 

enabled 

futurebus 

348 

r  18 

38.1 

2.7 

nomad 

2546 

844 

n/a 

enabled 

v-gates 

172 

16 

0.7 

0.7 

xavier 

200 

116 

3.2 

2.5 

Figure  7:  Effectiveness  of  macro  optimizations.  The  effectiveness  measures  are 
(1)  the  number  of  BDD  variables  removed  by  macro  optimization,  and  (2)  the 
impact  on  overall  running  time  as  performance  speedups.  For  both  measures,  we 
present  results  both  with  and  without  the  early-quantification  optimization.  The 
n/a  indicates  that  the  speedup  can  not  be  computed  because  both  cases  failed  to 
finish  within  the  resource  limits.  Note:  the  number  of  BDD  variables  is  twice  the 
number  of  state  variables . 

To  evaluate  the  effectiveness  of  syntactic-based  vs.  BDD-based  macro  extrac¬ 
tion,  we  compare  the  impact  of  these  two  approaches  using  both  the  number  of 
BDD  variables  removed  and  the  running  time  (Figure  8).  The  comparison  is  done 
for  both  with  and  without  the  early-quantification  optimization.  Note  that  the  early- 
quantification  optimization  does  not  affect  the  number  of  BDD  variables  removed. 
Thus,  the  #  of  BDD  vars  removed”  results  are  the  same  for  both  with  and  without 
the  early-quantification  optimization. 

Without  the  early-quantification  optimization  (the  SynM  /  BDDM  column), 
the  results  show  that  the  BDD-based  approach  is  better  with  the  verification  of  acs 
enabled.  With  the  early-quantification  optimization  (the  Q+SynM  /  Q+BDDM 
column),  the  results  show  that  the  BDD-based  approach  has  enabled  the  verifica¬ 
tion  of  dsl  and  generally  has  better  performance,  with  speedups  of  over  10  in  acs 
and  nomad.  In  the  xavier  case,  the  slowdown  is  2  (speedup  of  0.5)  because  the 
Q+BDDM  used  one  extra  second  in  macro  extraction.  The  overall  performance 
improvements  are  due  to  that  the  BDD-based  approach  is  more  effective  in  reduc¬ 
ing  the  number  of  variables  (“#  of  BDD  vars  removed”  columns).  In  particular, 
for  the  acs,  nomad,  dsl-b,  and  dsl  models,  >  150  additional  BDD  variables  (i.e.. 
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>  75  state  bits)  are  removed  in  comparison  to  using  syntactic  analysis. 


Model 

Total 

#of 

BDD 

Vars 

Syntax  vs.  BDD-based  Macro  Optimization 

#  of  BDD  vars  removed 

1  performance  Speedup 

SynM  or 
Q+SynM 

BDDMor 

Q+BDDM 

SynM/ 

BDDM 

Q+SynM/ 

Q+BDDM 

acs 

994 

82 

352 

enabled 

10.8 

148 

492 

n/a 

ksei 

496 

n/a 

enabled 

ESBa 

12 

18 

2.1 

1.8 

688 

844 

n/a 

WtkilkM 

16 

16 

1.0 

1.0 

xavier 

200 

64 

116 

1.2 

1/2  =  0.5 

Figure  8:  Syntactic-based  vs.  BDD-based  macro  optimization.  The  effectiveness 
measures  are  (1)  the  number  of  BDD  variables  removed,  and  (2)  the  impact  on 
overall  running  time  as  performance  speedups.  For  both  measures,  we  present  re¬ 
sults  both  with  and  without  the  early-quantification  optimization.  The  n/a  indicates 
that  the  speedup  can  not  be  computed  because  both  cases  failed  to  finish  within  the 
resource  limits.  Note:  the  number  of  BDD  variables  is  twice  the  number  of  state 
variables. 


5,5  Impact  of  Conjunctive-Partitioning  Size  Limit 

Because  the  conjunctive-partitioning  algorithm  often  produces  significantly  dif¬ 
ferent  performance  results  with  different  partition-size  limits,  we  have  also  re¬ 
evaluated  the  above  results  using  a  partition-size  limit  of  100,000  nodes.  The  new 
results  generally  follow  the  same  trend  as  before  with  the  exception  of  dsl-b  and 
dsl.  For  these  two  models,  the  results  (Figure  9)  show  that  if  we  choose  the  right 
partition-size  limit  for  each  case,  we  do  not  need  to  perform  the  macro  optimiza¬ 
tion  to  verify  them.  (Note  that  this  is  not  always  true;  e.g.,  the  nomad  model  caimot 
be  verified  without  the  macro  optimization.)  However,  with  the  BDD-based  macro 
optimization  (the  Q+BDDM  colunm),  the  performance  results  are  more  stable  and 
are  generally  much  better. 

6  Related  Work 

There  have  been  many  research  efforts  on  BDD-based  redundant  state-variable 
removal  in  both  logic  synthesis  and  verification.  These  research  efforts  all  use 
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Model 

Partition 
Size  Limit 
(#  of  nodes) 

None 

(sec) 

Quan 

(sec) 

SynM 

(sec) 

BDDM 

(sec) 

Q+SynM 

(sec) 

Q+BDDM 

(sec) 

dsl-b 

10,000 

m.o. 

321 

to. 

m.o. 

138 

54 

dsl-b 

100,000 

to. 

309 

to. 

m.o. 

t.o. 

101 

dsl 

10,000 

m.o. 

m.o. 

m.o. 

to. 

t.o. 

37 

dsl 

100,000 

m.o. 

255 

to. 

m.o. 

92 

74 

Figure  9:  Effects  of  the  partition-size  limit.  The  nuo.  ’s  and  t.o.  ’s  are  the  results  that 
exceeded  the  900-MB  memory  limit  and  the  6-hour  time  limit,  respectively. 


the  reachable  state  space  (set  of  states  reachable  from  initial  states)  to  determine 
functional  dependencies  for  Boolean  variables  (macro  extraction).  The  reachable 
state  space  effectively  plays  the  same  role  as  a  time-invariant  constraint,  because 
the  verification  process  only  needs  to  check  specifications  in  the  reachable  state 
space. 

Beithet  et  al.  propose  the  first  redundant  state- variable  removal  algorithm  in 
[3].  In  [10],  Lin  and  Newton  describe  a  branch-and-bound  algorithm  to  identify 
the  maximum  set  of  redundant  state  variables.  In  [13],  Sentovich  et  al.  propose 
new  algorithms  for  latch  removal  and  latch  replacement  in  logic  synthesis.  There 
is  also  some  work  on  detecting  and  removing  redundant  state  variables  while  the 
reachable  state  space  is  being  computed  [9,  15]. 

From  the  algorithmic  point  of  view,  our  approach  is  different  from  prior  work 
in  two  ways.  First,  in  determining  the  relationship  between  variables,  the  algo¬ 
rithms  used  to  extract  functional  dependencies  in  previous  work  can  be  viewed 
as  direct  extraction  of  deterministic  assignments  to  Boolean  variables.  In  compari¬ 
son,  our  assignment  extraction  algorithm  is  more  general  because  it  can  also  handle 
non-Boolean  variables  and  extract  non-deterministic  assignments.  Second,  in  per¬ 
forming  the  redundant  state-variable  removal,  the  approach  used  in  the  previous 
work  would  need  to  combine  all  the  constraints  first  and  then  extract  the  macros 
directly  firom  the  combined  result.  However,  for  coristraint-rich  models,  it  may  not 
be  possible  to  combine  all  the  constraints  because  the  resulting  BDD  is  too  large 
to  build.  Our  approach  addresses  this  issue  by  first  applying  the  assignment  ex¬ 
traction  algorithm  to  each  constraint  separately  and  then  combining  the  results  to 
determine  if  a  macro  can  be  extracted  (see  Figure  1). 

Another  difference  is  that  in  previous  work,  the  goal  is  to  remove  as  many 
variables  as  possible.  However,  we  have  empirically  observed  that  in  some  cases, 
removing  additional  variables  can  result  in  significant  performance  degradation  in 
overall  verification  time  (slowdown  over  4).  To  address  this  issue,  we  use  simple 
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heuristics  (size  of  the  macro  and  the  growth  in  graph  sizes)  to  choose  the  set  of 
macros  to  expand.  This  simple  heuristic  works  well  in  the  test  cases  we  tried. 
However,  in  order  to  fiilly  evaluate  the  impact  of  different  heuristics,  we  need  to 
gather  a  larger  set  of  constraint-rich  models  from  a  wider  range  of  applications. 

/ 

7  Conclusions  and  Future  Work 

The  two  optimizations  we  proposed  are  crucial  in  verifying  this  new  class  of  constraint- 
rich  applications.  In  particular,  they  have  enabled  the  verification  of  real-world 
applications  such  as  the  Nomad  robot  and  the  NASA  Deep  Space  One  spacecraft. 

We  have  shown  that  the  BDD-based  assignment-extraction  algorithm  is  effec¬ 
tive  in  identifying  macros.  We  plan  to  use  this  algorithm  to  perform  a  more  precise 
cone-of-influence  analysis  with  the  assignment  expressions  providing  the  exact  de¬ 
pendence  information  between  the  variables.  In  general,  we  plan  to  study  how 
BDDs  can  be  use  to  further  help  other  compile-time  optimizations  in  symbolic 
model  checking. 
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A  Correctness  Proof  for  Assignment-Extraction  Algorithm 

In  this  section,  we  present  a  correctness  proof  for  the  assignment-extraction  algo¬ 
rithm  in  Section  4.1.  Before  presenting  the  main  result,  we  first  state  and  prove  two 
supporting  lemmas. 

Lemma  1  Let  care-opt  be  any  care-space  optimization.  Then,  for  arbitrary  set 
expression  t.  Boolean  formula  h,  and  variable  v, 

(u  G  care-opt{t,  h))  Ah  =  care-opt{v  £t,h)  A  h. 


Proof 

By  the  definition  of  the  care-space  optimization,  we  have  the  following  prop¬ 
erties: 


h  {care-opt{t,  h)  ==  t) , 

h  [care-opt{v  €  t,  h)  ==  {v  €  t)]. 
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Therefore, 


{v  e  care-opt{t,  h))  Ah  =  {v  et)  Ah 

=  care-opt{v  ^i,h)  Ah. 

□ 

Lemma  2  Given  an  arbitrary  Boolean  formula  f  and  a  variable  v.  Let 

V 

where  Ky  is  the  set  of  all  possible  values  of  variable  v.  Then, 

{vet)  =  f. 

Proof 

u€t  =  Y  {v  ==  k')  A  {k' e  t) 

k'£K„ 

=  V  («  ==  ^0  A  [k'  €  U  UEifU^k,  0)] 

k'eKv  keKv 

=  \/  {v==  k')  A  \/  [k'e  ITEifUk,  {A:},  0)] 

k'^Kv  keKv 

=  \/  {v==  k')  A  V  ITE{f\y^k,  k'  e  {k},  k'  €  0) 

k'&Kv  k^K„ 

=  \J  {v==:k')A  V  rrE{f\y^k,k' ^{k},t)) 

k'eKy  keKy 

=  y  iv==k^)AlTE{f\y^k',k'e{k%0) 

k'eKv 

=  Y  {v==k')AlTEif\y^k',hO) 

k^^Kv 

=  V  ^ 

k'&Ky 
=  /. 

□ 

Using  the  two  lemmas  above,  we  can  now  prove  the  correctness  of  the  assignment- 
extraction  algorithm. 
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Theorem  1  Given  an  arbitrary  Boolean  formula  f  and  a  variable  v.  Let 


h  =  3v.f, 

t  =  U  ITEifUkAk},^), 

g  =  care-opt{t,  h) , 

where  care-opt  is  any  care-space  optimization  algorithm  and  care-opt{t,  h)  does 
not  depend  on  any  new  variables  (other  than  those  already  in  t  and  h).  Then,  the 
following  conditions  are  true. 

1.  f  =  (v  eg)  Ah, 

2.  g  does  not  depend  on  v,  and 

3.  h  is  a  Boolean  formula  and  does  not  depend  on  v. 


Proof 

To  prove  Condition  1 ,  we  apply  both  Lemma  1  and  Lemma  2  in  the  following 
derivation: 


[v  e^  Ah  = 


[v  e  care-opt{t,  h))  A  h 
care-opt{v  et,h)  Ah 
care-opt{f,  h)  Ah 
fAh 
fA3v.f 

f 


Condition  2  is  true  because  t  does  not  depend  on  v  (by  construction)  and  the 
care-opt  algorithm  does  not  introduce  new  variable  dependencies  (given). 
Condition  3  is  true  because  /  is  a  Boolean  formula  and  h  =  3v.f  is  a 
Boolean  formula  that  does  not  depend  on  v. 

□ 
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